āđāļĄāđāļŠāļēāļĄāļēāļĢāļāđāļĨāđāļāļ§āļīāļāļĩāđāļāļāļĩāđ
āļāļāļāļ āļąāļĒāđāļāļāļ§āļēāļĄāđāļĄāđāļŠāļ°āļāļ§āļ
How SharePoint Permissions work (Best Practices)
āļāļąāļ
- āđāļāļĒāđāļāļĢāđāđāļĄāļ·āđāļ 15 āļŠ.āļ. 2024
- SharePoint permissions are complicated. I simplify it all for you in this tutorial.
How Permissions work in SharePoint and best practices to follow when setting up permissions on a SharePoint site. There are many different locations and settings you need to adjust if you want to properly secure your SharePoint site. In this video, I cover a total of 10 permissions tips and tricks and best practices to follow.
00:00 - How SharePoint Permissions work
02:48 - Tip # 1: Manage Permission at the Site level
08:55 - Tip # 2: Use 3 SharePoint Groups on Communication Sites
21:39 - Tip # 3: Use Microsoft 365 Groups on Team Sites
29:39 - Tip # 4: Adjust Site Sharing Settings
35:07 - Tip # 5: Adjust External Sharing on each Site
39:09 - Tip # 6: Remove users from shared files and folders
43:15 - Tip # 7: Assign minimum permissions necessary
45:35 - Tip # 8: Assign minimum sharing permissions
49:58 - Tip # 9: Decide on Active Directory Groups or Microsoft 365 Groups
52:24 - Tip # 10: Conduct User Training
ð Additional tips and references in this blog post I mentioned in the video: sharepointmave...
The following 10 permissions tricks are covered in this SharePoint Permissions Tutorial:
Manage security at the site level. Too often, when companies migrate from file shares to SharePoint, they tend to manage permission at the folder level. In SharePoint, we manage permissions at the site level. So it is very important to create the proper Information Architecture first so that you can start managing permissions at the site level.
Utilize 3 SharePoint security groups for Communication sites. Communication Sites use 3 built-in SharePoint Security Groups (Visitors, Members, Owners). Make sure to use those 3 default security groups. Do not create new groups, and do not click on Advanced Permissions Settings.
Utilize Group Membership for Team Sites. If you have a Team Site, then permissions shall be managed via the Microsoft 365 Group. You can also rely on SharePoint Site security itself if necessary.
Manage Site Sharing Settings. Even if you set up the proper permissions, you must also set up Site Sharing Settings. By default, members can easily share a site with their colleagues. You can prevent that by configuring Site Sharing Settings.
Manage external sharing settings per site as necessary. External sharing is a necessary component of modern collaboration. I recommend that you do not disable external sharing. Instead, you can enable or disable external sharing for each individual site.
Remove Users from shared files and folders as necessary. If you or your users share files and folders with members outside of the team, you definitely will need to remove their access via the Manage Access feature.
Always give the minimum permissions possible to the site. When assigning permissions to a site, make sure to give the minimum permissions the user needs. For example, if users need to just read and download, do not assign them an Edit Permission level. Likewise, if users just need to edit content (documents, pages), do not give them an Owner (Full Control) permission level.
Always give the minimum permissions possible when sharing links to files and folders. The same logic applies when sharing files and folders. Make sure to generate View Only links if necessary. Or generate links for Specific People if necessary.
Make a decision about Active Directory vs. Microsoft 365 Groups. Your organization will also need to make a decision on whether to rely on Active Directory Groups or Microsoft 365 Groups for security management. With AD Groups, you let IT control security, while with Microsoft 365 Groups, you let your users manage the security and membership.
SharePoint Training. The last advice I want to give you - make sure to conduct proper training for your users. Your Site owners must understand the difference between different types of sites, security groups, and sharing link types.
ð Continue learning more on this topic, by watching this video: âĒ How to create Newslett...
ð If you want to learn more on this topic, check out this video as well: th-cam.com/video/SumfCvtlYWI/w-d-xo.htmlsi=rXrVJVPSoTHn_65h
Thank you for this excellent video. Very informative.
You are welcome, happy to hear you found it useful
Very helpful, thank you!
You are welcome!
Great tips for folks new tosite ownership or just making their way in administering a SharePoint Online instance.
I would add, though ... that I *think* I'm able to add groups as members of Teams / Teams sites Sharepoint Groups.
I say this because my oft repeated adage is the only tip that I would add, here ... next! ð
( _just so that it's buried and doesn't look like I'm critiquing you ... because I'm totally not!!!_ :-) ... )
I would say that wherever it is possible, place 365 groups inside SharePoint groups.
This then puts the access squarely in the hands of your IT / IT Admin/Security team to manage access requests. They already have a business process for handling user access requests, and placing this in their hands is a salient choice all around.
Managing SharePoint groups in 2024 should not be someone's job, and at best it should be the odd admin having to give themselves access to something.
Remember, too, that it's entirely possible to create low-level M365 Security groups, and you could even set-up an automation to sort this all out.
When someone makes a new communications site, let's call it " _financeforms_ " ( _later renamed to " _*_Finance Forms_* " and it's there just to fulfull a very obvious purpose.
You can have a subscription monitoring for new sites, and that will create 3 `sp_financeforms` groups like so:
- `sp_financeforms_owners`
- `sp_financeforms_members`
- `sp_financeforms_visitors`
This might all seem like duplication, but managing M365 groups and their members is second nature for an IT team, or the person who's been assigned that work. Plus, you can often get away with just having a members and visitors group for most functions.
The IT team certainly *won't* want to be managing SharePoint groups in addition to resources that already exist, plus the ' _SP Finance Forms Owners_ ' group will then be the group that is asked for authorisation to add additional staff to a team, anyway. ð
But, yes, leaning into adding individual users to sites will always immediately create a job that someone will need to keep an eye on those memberships.
I like to try to think functionally with my groups, so that if I'm working with a business process, then I will have a Teams team that owns the process.
So, here, there will be a Finance Teams team, and the *Members* of that teams team will in the be SharePoint Owners group of the Communications site. They'll also be in the SharePoint Members group ( _because SP can be fickle sometimes_ ), then that enables the whole team to manage the process adequately.
Thank you!
this is totally off topic to what was discussed in the video, but how did you get the twitter web part on your site?
Twitter Web part no longer works in SharePoint
You mentioned that nobody should create custom permission levels, but how else do you prevent deletion of critical folders or files, either intentionally or unintentionally? What if you want to allow modification and adding of new files, but not deletion?
This was a general advice, but if you must absolutely have such permission level - you can create it. The problem with it is that it is local to a Site and if you need such custom permissions on many sites - they need to be set up manually on all sites. There are also ways to allow for file deletion but set up alerts or even retention policies. But again, if that is the requirement - then it is what it is.
We have the AD Security Group, plus the Microsoft 365 Group, both explained in the video. On top there are also SharePoint Groups at the site level. Could the later not also be well used for access to a specific folder on a site?
Yes, they can
What would your recommendation be for using lists as data source in powerapps, would the recommendation be to create a new site for the lists?
I am not familiar with Power Apps, so can't really answer this question.
Can you make a group as site owner. so you dont see all the administrators as owner but just the group.
thanks
Yes, you can create a Microsoft Entra ID Group, but it will only work on non-M365 Group sites (i.e., Comm Site).
@@SharePointMaven thank you!!!